Elliptic Curve Cryptography

May 20, 2023

Elliptic Curve Cryptography (ECC) is an advanced cryptographic technology that is widely used in modern computer systems and communication networks for ensuring data security and privacy. First proposed by Neal Koblitz and Victor S. Miller independently in 1985, ECC has become an essential building block for secure communication protocols, digital signatures, and privacy-preserving technologies. ECC is based on the algebraic properties of elliptic curves over finite fields, offering a high level of security with relatively small key sizes compared to other public key cryptosystems, such as RSA or Diffie-Hellman.

Mathematical Foundation

The underlying mathematics of ECC involves elliptic curves, which are smooth, non-degenerate curves defined by a simple equation in two variables. An elliptic curve E over a finite field F can be represented by the equation:


$$y^2 = x^3 + ax + b$$

where a and b are elements of the finite field F, and the curve has no singular points. The set of all points on the elliptic curve, along with a special point at infinity called O, forms an abelian group with respect to a well-defined addition operation. This group operation provides the basis for designing cryptographic primitives using elliptic curves.

ECC relies on the hardness of the Elliptic Curve Discrete Logarithm Problem (ECDLP) for its security. The ECDLP states that, given an elliptic curve E, a point P on the curve, and a point Q = nP obtained by adding P to itself n times, it is computationally infeasible to determine the integer n. In other words, the ECDLP is the elliptic curve analogue of the Discrete Logarithm Problem (DLP) in traditional public key cryptography.

Key Generation

ECC-based cryptosystems require the generation of a pair of public and private keys for each participant. The key generation process typically involves the following steps:

  1. Selection of a suitable elliptic curve E and a base point G on the curve. These parameters are usually chosen by a trusted authority or agreed upon by the communicating parties and can be reused for multiple key pairs.
  2. The private key is a randomly chosen integer d, where 1 <= d <= n-1, and n is the order of the base point G, i.e., the smallest positive integer such that nG = O.
  3. The public key is computed as the point Q on the curve, obtained by adding the base point G to itself d times, i.e., Q = dG.

The private key must be kept secret, while the public key can be shared freely with other parties.

Elliptic Curve Diffie-Hellman (ECDH) Key Exchange

The ECDH protocol is an elliptic curve variant of the classic Diffie-Hellman key exchange, which allows two parties to establish a shared secret over an insecure channel without prior knowledge of each other’s private keys. The ECDH protocol involves the following steps:

  1. Each party generates a pair of public and private keys, as described in the key generation process above.
  2. The parties exchange their public keys over the insecure channel.
  3. Each party computes the shared secret by multiplying the received public key with their private key. Due to the associative property of the elliptic curve group operation, the resulting points on the curve are identical for both parties, i.e., dA * (dB * G) = dB * (dA * G).

The shared secret can then be used as a symmetric key for encrypting and decrypting messages between the parties.

Elliptic Curve Digital Signature Algorithm (ECDSA)

ECDSA is a widely used digital signature scheme based on ECC, which allows a signer to generate a signature for a message, and a verifier to check the authenticity of the signature. The ECDSA protocol consists of the following steps:


  1. The signer computes the hash of the message to be signed, denoted by H(m).
  2. The signer generates a random integer k, where 1 <= k <= n-1.
  3. The signer computes the point R = kG on the elliptic curve and extracts its x-coordinate, denoted by r. If r is equal to zero, a new random k must be chosen.
  4. The signer computes the integer s = (H(m) + dr) * k^(-1) mod n. If s is equal to zero, a new random k must be chosen.
  5. The signature for the message is the pair of integers (r, s).


  1. The verifier computes the hash of the message, denoted by H(m).
  2. The verifier checks that the signature integers r and s are in the range 1 <= r, s <= n-1. If not, the signature is invalid.
  3. The verifier computes the integers u1 = H(m) * s^(-1) mod n and u2 = r * s^(-1) mod n.
  4. The verifier computes the point R’ = u1 * G + u2 * Q on the elliptic curve, where Q is the signer’s public key.
  5. The verifier extracts the x-coordinate of R’, denoted by r’. If r’ is equal to r, the signature is valid; otherwise, the signature is invalid.

ECDSA provides the properties of non-repudiation and integrity, which are essential for secure electronic transactions and digital document signing.

Security and Performance

ECC offers a high level of security with smaller key sizes compared to other public key cryptosystems, such as RSA or Diffie-Hellman. For instance, a 256-bit ECC key provides similar security to a 3072-bit RSA key, while requiring less computational resources and storage.

The smaller key sizes and computational efficiency of ECC make it particularly suitable for resource-constrained environments, such as embedded systems, Internet of Things (IoT) devices, and mobile applications. Furthermore, ECC is considered to be resistant to attacks by quantum computers, providing an additional layer of security for future-proofing cryptographic systems.